Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Excerpt | ||
---|---|---|
| ||
MFA is a simple best practice that adds an extra layer of protection on top of your existing OpenSSH key. With MFA enabled, when a user connects to bastion-host, they will be validated by their key pair (the first factor - what they know) as well as for an authentication response from their MFA device (the second factor - what they have). |
What is Multi-Factor-Authentication
MFA is a simple best practice that adds an extra layer of protection on top of your existing OpenSSH key. See Access an environment via OpenSSH or Putty
With MFA enabled, when a user connects to bastion-host, they will be validated by their key pair (the first factor - what they know) as well as for an authentication response from their MFA device (the second factor - what they have). Taken together, these multiple factors provide increased security for your environment.
Preconditions
You need access to jumphost with you personal Openssh access key. Access an environment via OpenSSH or Putty
General process
Currently MFA is disabled by default.
When MFA is enabled by root360, MFA is enforced for all users incl. root360 customer service staff and project users. Exceptions are not supported. You need to cross-check with your CI/CD integration to ensure your processes are not disrupted.
Following steps are required to enable full MFA support environment access:
check and accept preconditions
request activation of MFA
activate MFA
Preconditions for MFA
BatchMode must be disabled in your SSH client (see https://linux.die.net/man/1/ssh)
MFA token has to be (re-)generate on each provisioning of bastion host instance (e.g. rebuilt of the host)
Request activation of MFA
Request activation of MFA for a dedicated environment via change request at https://support.root360.cloud.
Activate MFA (only required for SSH)
As soon as MFA is enforced, SSH login will not work anymore. You may see following message
Code Block | ||
---|---|---|
| ||
MFA required, please check our documentation https://faq.root360.cloud/564625495/How+to+activate+MFA+Multi-Factor-Authentication+for+SSH [projectuser]@[bastionhostIP]: Permission denied (keyboard-interactive). |
To activate MFA you have to login to the bastion-host of your environment to port 222 and follow the instructions:
Code Block |
---|
$ ssh -p 222 [projectuser]@[bastionhostIP] |
You may scan QR code or use verification secret and add it to you virtual device MFA.
Supported Methods
At the moment For SSH access we support virtual device MFA with TOTP. You may use compatible apps like "Google Authenticator" or "Authy" to manage your virtual MFA.
For OpenVPN we support authentication with your Dashboard (root360) password.
Note |
---|
Each virtual MFA device assigned to a user must be unique. A user cannot type a code from another user's virtual MFA device to authenticate. |
Related tutorials
Filter by label (Content by label) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Related Components
Filter by label (Content by label) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Table of Contents | ||
---|---|---|
|
Filter by label (Content by label) | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|